CN109829285A - A kind of digital signature method, device, equipment and storage medium - Google Patents
A kind of digital signature method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN109829285A CN109829285A CN201811466594.XA CN201811466594A CN109829285A CN 109829285 A CN109829285 A CN 109829285A CN 201811466594 A CN201811466594 A CN 201811466594A CN 109829285 A CN109829285 A CN 109829285A
- Authority
- CN
- China
- Prior art keywords
- signature
- application
- work
- private key
- apk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of digital authentication methods, on the sign test process basis of V2 scheme, it is whether credible by verification agency's certificate, reinforcement extension is carried out to the verification of V2 scheme, so that manufacturer, payment mechanism can control could only install by the application of oneself signature in equipment, accomplish the control to installation application, guarantees that mounted application is not maliciously tampered.In addition also by the way that authority information is written in signing messages in signature; prevent any application to the random calling of the interfaces such as code keyboard, printer; and the authority items of application application are protected by way of encrypted signature; facilitate permission modification simultaneously; application permission is changed without repacking compiling application; the application that can prevent malice from distorting is mounted directly in equipment around signature, janus loophole existing for the signature sign test based on solving the existing scheme by V1.
Description
Technical field
The present invention relates to electronic communication security fields, especially a kind of digital signature method, device, equipment and storage are situated between
Matter.
Background technique
Android native system installation APK is in application, common signature scheme has two schemes of V1, V2, but Janus
Signature loophole can allow attacker to bypass the V1 signature mechanism of Android system, and then directly distort to App, and due to peace
Other security mechanisms of tall and erect system are also built upon on signature and sign test basis, which has amounted to a bypass Android system
Entire security mechanism, and when application carry out permission modification when operate it is more complicated, need to re-start packing compiling answer
To change application permission, it is therefore desirable to propose a kind of raising permission modification efficiency and solve the leakage of Janus existing for V1 scheme
The method in hole.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.For this purpose, of the invention
One purpose is to provide a kind of digital signature that can be improved permission modification efficiency and solve Janus loophole existing for V1 scheme
Method, apparatus, equipment and storage medium.
The technical scheme adopted by the invention is that:
In a first aspect, the present invention provides a kind of digital signature method, comprising steps of
Obtain root public private key pair and work public private key pair;
Work certificate is obtained according to root public key, root private key and work public key;
It is signed using work private key and work certificate to APK application;
Described public private key pair and work public private key pair are generated by encryption equipment;
It is described using work private key and work certificate to APK application carry out signature include: that A.L.S. is written into authority information
In breath, the authority information refers to that APK applies the calling permission to distinct interface.
Further, the APK applies to pass through compressed APK file, refers specifically to the APK file and is used for
The primary signature scheme of Android is signed, and the primary signature scheme of Android refers to V1 or V2 signature scheme.
Further, the step carries out signature to APK application using work private key and work certificate and specifically includes step:
The original hash value of APK application is calculated, and the original hash value is added in signing messages main body;
The signing messages main body is signed to obtain signed data using work private key and work certificate;
The signed data, the signing messages main body and the work certificate are inserted into signaling block.
Further, it signs when V2 was not used in APK application, then uses the first magic number as the magic number of signaling block;When
The APK after signed data is inserted into original signed data, uses the second magic number as signature using V2 signature is crossed
The magic number of block.
Further, further include to APK application sign when, using sign test flag bit come when selecting application upgrade whether
Sign test process is closed, the sign test flag bit is defaulted as carrying out sign test process.
Further, signed data is stored using V2 signature scheme form, is generated using rivest, shamir, adelman, number of signature
It is DER format according to coded format, the work certificate is stored using x.509 format.
Second aspect, the present invention also provides a kind of digital signature devices, comprising:
Public and private key acquisition device: for obtaining root public private key pair and work public private key pair;
Work certificate acquisition device: for obtaining work certificate according to root public key, root private key and work public key;
Signature apparatus: it signs for being applied using work private key and work certificate to APK, including authority information is write
Enter in signing messages, the authority information refers to that APK applies the calling permission to distinct interface.
The third aspect, the present invention provide a kind of control equipment of digital signature, comprising:
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one
A processor executes, so that at least one described processor is able to carry out such as the described in any item methods of first aspect.
Fourth aspect, the present invention provide a kind of computer readable storage medium, the computer-readable recording medium storage
There are computer executable instructions, the computer executable instructions are for executing computer as first aspect is described in any item
Method.
The beneficial effects of the present invention are:
Digital signature method of the invention prevents any application by the way that authority information is written in signing messages in signature
To the random calling of the interfaces such as code keyboard, printer, and by way of encrypted signature to application application authority items into
Row protection, while facilitating permission modification, application permission is changed without repacking compiling application, can prevent from disliking
The application distorted of anticipating is mounted directly in equipment around signature, and the signature sign test based on solving the existing scheme by V1 is deposited
Janus loophole.
It the composite can be widely applied to digital authenticating system.
Detailed description of the invention
Fig. 1 is the flow chart of the digital signature method of one embodiment of the present invention;
Fig. 2 is the signature process schematic diagram of the digital signature method of one embodiment of the present invention;
Fig. 3 is the detail flowchart of the digital signature method of one embodiment of the present invention;
Fig. 4 is the signing messages data format schematic diagram of the digital signature method of one embodiment of the present invention;
Fig. 5 is the signaling block form schematic diagram of the digital signature method of one embodiment of the present invention;
Fig. 6 is the structural block diagram of the digital signature device of one embodiment of the present invention.
Specific embodiment
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, Detailed description of the invention will be compareed below
A specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing, and obtain other embodiments.
Embodiment one:
As shown in Figure 1, the flow chart of the digital signature method for the present embodiment, comprising steps of
S1: obtaining root public private key pair and work public private key pair, and wherein root public private key pair and work public private key pair are by encryption equipment
It generates.
S2: work certificate is obtained according to root public key, root private key and work public key.
S3: it is signed using work private key and work certificate to APK application, including signing messages is written into authority information
In, prevent any application to the random calling of the interfaces such as code keyboard, printer, wherein authority information refers to that APK is applied to difference
The calling permission of interface.
The authority items of application application are protected by way of encrypted signature, while facilitating permission modification, are being not necessarily to
Application permission is changed in the case where repacking compiling application, the application that can prevent malice from distorting directly is mounted around signature
In equipment.
Specifically: to before application signature, it is desirable that client fills in authority according to application demand, and when signature can be by permission
Description item is added in signing messages main body, applies when calling arrives corresponding interface, and terminal judges to apply whether have permission
Call the corresponding interface.Rights file formats are txt text formatting, and authority content is only the authority items applied using needs,
Every row one can apply for that permission is tabulated as shown in table 1 below.
As shown in Fig. 2, in the present embodiment, client is used for digital signature method signature process schematic diagram in the present embodiment
The digital signature method of the present embodiment carries out signature operation to application, generates root public private key pair by encryption equipment and the public and private key that works
It is right, work certificate and root certificate are obtained according to root public key, root private key and work public key, wherein root public key is issued for generating root certificate
Terminal device quotient is issued, root private key is taken care of by client, and for the encrypted signature of root certificate and work certificate, the private key that works is also by visitor
Family keeping, for being encrypted to the signature of application.
Client needs to upload in signature process application to be signed and corresponding authority, and sign test flag bit is arranged
Select sign test process whether is closed when application upgrade, sign test flag bit is defaulted as carrying out sign test process.Original APK file is plus label
Name information data constitutes the APK file signed.
As shown in figure 3, progress HASH operation calculates APK first for digital signature method detail flowchart in the present embodiment
The original hash value of application, and original hash value is added in signing messages main body, recycle work private key and work certificate pair
Signing messages main body is signed to obtain signed data, will finally be obtained signed data, signing messages main body and work certificate and be inserted
Enter into signaling block, wherein the signaling block ID customized is 0x78676432, authority information is included in signing messages main body.
If the V2 scheme signature of Android was not used in APK application, with the first magic number " XGD Sig Block 42 "
Signaling block is generated, if APK signs using the V2 scheme for crossing Android, signed data is inserted into original signature
It after data, and is the magic number of signaling block with the second magic number " APK Sig Block 42 ", the application after generating signature.
After analysis APK file signature format, discovery is added to signed data in the Signing Block of APK, both
Signed data can be saved, and can guarantee that added signing messages will not influence the installation procedure of former APK file.
As shown in figure 4, for the signing messages data format schematic diagram of digital signature method in the present embodiment, wherein A.L.S.
It ceases data and signed data data is stored using V2 signature scheme form, generated using rivest, shamir, adelman, coded format DER
Format, work certificate are stored using x.509 format.
Visible signing messages format successively includes: file type title, head point, signing messages main part, label in figure
Name data and work certificate.
Wherein signing messages main part is also known as signed region, comprising: main part starts, version structure, sign test
Flag bit, Digital Signature Algorithm, signature time, original document hash and file permission expansion.
Whether sign test process is closed when sign test flag bit is for selecting application upgrade, such as client is using signature system
Signature closes application upgrade sign test option in application, can choose, in this way when equipment finds that application to be installed is update
When (refer to that equipment has been mounted with corresponding A PK applications, and the signatures of two applications be it is identical or), then skip to application
Sign test movement directly carry out using installation, can so save application upgrade installation time, sign test flag bit default be need to
Sign test process is carried out, i.e., during sign test, after receiving signature application, its sign test flag bit is judged, when sign test mark
Position indicate close sign test process, and be update when, then skip sign test process, directly carry out using installation.
The signature scheme of the present embodiment is that directly to compressed APK file is entirely passed through, (i.e. the APK file itself has been
Have passed through the primary signature scheme signature of Android, such as V1 scheme or V2 scheme) it signs, by the signed data data of generation
It is inserted into the file content of compression, it, can't be primary to Android in the APK signaling block between source data and catalogue source data
Sign test has an impact.
As shown in figure 5, for the signaling block form schematic diagram of the present embodiment signature application, including two kinds of situations, primary signature
It is V2 scheme for V1 scheme and primary signature.
1) scene one: primary signature is V1 scheme.
It is the signature block size of 8 bytes first, this size does not include 8 bytes of the field itself, followed by least one
Signed data field (ID-Value block size including 8 bytes, the ID number of 4 byte and corresponding signed data,
The signaling block ID of customization is 0x78676432), followed by the signature block size of 8 bytes, be with 8 bytes of beginning it is equal,
It is finally the signaling block evil spirit number of 16 fixed bytes, this scene is possessed number are as follows: " XGD Sig Block 42 ".
2) scene two: primary signature is V2 scheme.
It is the signature block size 8 bytes of the field itself (this size do not include) of 8 bytes first, followed by a side V2
Case primary signed data field (ID-Value block size including 8 bytes, 4 byte primary signature ID number and
Corresponding signed data, primary signature ID number is 0x7109871a), followed by the signed data of at least one of such as scene one
Field, followed by the signature block size of 8 bytes are equal with 8 bytes of beginning, are finally the signatures of 16 fixed bytes
Block evil spirit number, this scene are possessed number are as follows: " APK Sig Block 42 ".
Embodiment two:
As shown in fig. 6, being the digital signature device structural block diagram of one embodiment of the present invention, comprising:
Public and private key acquisition device: for obtaining root public private key pair and work public private key pair;
Work certificate acquisition device: for obtaining work certificate according to root public key, root private key and work public key;
Signature apparatus: it signs for being applied using work private key and work certificate to APK, including authority information is write
Enter in signing messages, the authority information refers to that APK applies the calling permission to distinct interface.
On the other hand, one embodiment of the present invention also provides a kind of computer readable storage medium, computer-readable to deposit
Storage media is stored with computer executable instructions, the side that computer executable instructions are used to that computer to be made to execute such as embodiment one
Method.
Digital signature method of the invention prevents any application by the way that authority information is written in signing messages in signature
To the random calling of the interfaces such as code keyboard, printer, and by way of encrypted signature to application application authority items into
Row protection, while facilitating permission modification, application permission is changed without repacking compiling application, can prevent from disliking
The application distorted of anticipating is mounted directly in equipment around signature, and the signature sign test based on solving the existing scheme by V1 is deposited
Janus loophole.It the composite can be widely applied to digital authenticating system.
It is to be illustrated to preferable implementation of the invention, but the invention is not limited to the implementation above
Example, those skilled in the art can also make various equivalent variations on the premise of without prejudice to spirit of the invention or replace
It changes, these equivalent deformations or replacement are all included in the scope defined by the claims of the present application.
Claims (9)
1. a kind of digital signature method, which is characterized in that comprising steps of
Obtain root public private key pair and work public private key pair;
Work certificate is obtained according to root public key, root private key and work public key;
It is signed using work private key and work certificate to APK application;
Described public private key pair and work public private key pair are generated by encryption equipment;
It is described using work private key and work certificate to APK application carry out signature include: by authority information be written signing messages in,
The authority information refers to that APK applies the calling permission to distinct interface.
2. a kind of digital signature method according to claim 1, which is characterized in that the APK applies as after overcompression
APK file, refer specifically to the APK file and be used for the primary signature scheme of Android to sign, the Android
It is at least one below primary signature scheme: V1 and V2 signature scheme.
3. a kind of digital signature method according to claim 2, which is characterized in that the step utilizes work private key and work
Certificate carries out signature to APK application and specifically includes step:
The original hash value of APK application is calculated, and the original hash value is added in signing messages main body;
The signing messages main body is signed to obtain signed data using work private key and work certificate;
The signed data, the signing messages main body and the work certificate are inserted into signaling block.
4. a kind of digital signature method according to claim 3, which is characterized in that when V2 was not used in APK application
Signature then uses the first magic number as the magic number of signaling block;When the APK using cross V2 signature, signed data is inserted into
After original signed data, use the second magic number as the magic number of signaling block.
5. a kind of digital signature method according to claim 1, which is characterized in that further include signing to APK application
When, sign test process whether is closed when selecting application upgrade using sign test flag bit, the sign test flag bit is defaulted as being tested
Label process.
6. a kind of digital signature method according to claim 1, which is characterized in that using V2 signature scheme form storage label
Name data, are generated using rivest, shamir, adelman, and signed data coded format is DER format, and the work certificate is using x.509
Format storage.
7. a kind of digital signature device characterized by comprising
Public and private key acquisition device: for obtaining root public private key pair and work public private key pair;
Work certificate acquisition device: for obtaining work certificate according to root public key, root private key and work public key;
Signature apparatus: for using work private key and work certificate to APK application sign, including by authority information be written sign
In name information, the authority information refers to that APK applies the calling permission to distinct interface.
8. a kind of control equipment of digital signature characterized by comprising
At least one processor;And
The memory being connect at least one described processor communication;Wherein,
The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one
It manages device to execute, so that at least one described processor is able to carry out such as method as claimed in any one of claims 1 to 6.
9. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can
It executes instruction, the computer executable instructions are for making computer execute such as method as claimed in any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811466594.XA CN109829285A (en) | 2018-12-03 | 2018-12-03 | A kind of digital signature method, device, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811466594.XA CN109829285A (en) | 2018-12-03 | 2018-12-03 | A kind of digital signature method, device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109829285A true CN109829285A (en) | 2019-05-31 |
Family
ID=66859826
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811466594.XA Pending CN109829285A (en) | 2018-12-03 | 2018-12-03 | A kind of digital signature method, device, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109829285A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113221072A (en) * | 2021-04-16 | 2021-08-06 | 江苏先安科技有限公司 | Third party countersignature and verification method based on android system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
CN103944903A (en) * | 2014-04-23 | 2014-07-23 | 福建联迪商用设备有限公司 | Multi-party authorized APK signature method and system |
KR101659990B1 (en) * | 2015-10-02 | 2016-09-26 | 주식회사 이노스텍 | certificate issuing system |
CN107493288A (en) * | 2017-08-28 | 2017-12-19 | 深圳市新国都支付技术有限公司 | Application network method of controlling security and device based on Android versions POS |
CN107769924A (en) * | 2017-09-11 | 2018-03-06 | 福建新大陆支付技术有限公司 | Verify the method and system of POS APK signatures |
-
2018
- 2018-12-03 CN CN201811466594.XA patent/CN109829285A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
CN103944903A (en) * | 2014-04-23 | 2014-07-23 | 福建联迪商用设备有限公司 | Multi-party authorized APK signature method and system |
KR101659990B1 (en) * | 2015-10-02 | 2016-09-26 | 주식회사 이노스텍 | certificate issuing system |
CN107493288A (en) * | 2017-08-28 | 2017-12-19 | 深圳市新国都支付技术有限公司 | Application network method of controlling security and device based on Android versions POS |
CN107769924A (en) * | 2017-09-11 | 2018-03-06 | 福建新大陆支付技术有限公司 | Verify the method and system of POS APK signatures |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113221072A (en) * | 2021-04-16 | 2021-08-06 | 江苏先安科技有限公司 | Third party countersignature and verification method based on android system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107463806B (en) | Signature and signature verification method for Android application program installation package | |
US8635442B2 (en) | System and method for long-term digital signature verification utilizing light weight digital signatures | |
CN110532811B (en) | PDF (Portable document Format) signature method and PDF signature system | |
CN106656513B (en) | The secondary packing signature verification method of APK file on Android platform | |
US11757655B1 (en) | Systems and methods for distributed extensible blockchain structures | |
CN109756340A (en) | A kind of number sign test method, apparatus and storage medium | |
CN110362990A (en) | Using the security processing of installation, apparatus and system | |
CN104320257A (en) | Electronic record validation method and device | |
CN106295255A (en) | The reinforcement means of application program and device | |
CN107980132A (en) | A kind of APK signature authentications method and system | |
US7962765B2 (en) | Methods and systems for tamper resistant files | |
CN108710500A (en) | Resource issuing method, update method and device | |
CN107301343A (en) | Secure data processing method, device and electronic equipment | |
CN104573527A (en) | UEFI system updating method based on updating security mechanism | |
CN107516045A (en) | Document protection method and device | |
EP2913973A1 (en) | Trusted NFC smart poster tag | |
CN105873044A (en) | Application program issuance method based on Android platform, developer tracing method and developer tracing device | |
CN114817890A (en) | Electronic signature method and device of document, terminal equipment and storage medium | |
CN109829285A (en) | A kind of digital signature method, device, equipment and storage medium | |
CN110490542B (en) | Signature file generation method, signature file transmission method and system | |
KR20230127952A (en) | Data security apparatus | |
KR20210107681A (en) | Circuit chip and its operation method | |
CN110535663B (en) | Method and system for realizing trusted timestamp service based on block chain | |
CN101355428A (en) | Method for protecting data integrity using increment checkout | |
CN108875385B (en) | Method and device for communication between applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190531 |
|
RJ01 | Rejection of invention patent application after publication |